ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Fail2Ban not working with Fedora-Server Edition

    Scheduled Pinned Locked Moved IT Discussion
    15 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Woti
      last edited by

      Do you guys have some recommended setup guides based on latest Fedora/Centos or how to check if fail2ban works probably?

      JaredBuschJ 1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch @Woti
        last edited by

        @Woti said in Fail2Ban not working with Fedora-Server Edition:

        Do you guys have some recommended setup guides based on latest Fedora/Centos or how to check if fail2ban works probably?

        You install it and turn it on

        sudo dnf install -y fail2ban
sudo systemctl enable --now fail2ban

        You can see things with fail2ban-client

        sudo fail2ban-client status

        And specifics about a jail

        sudo fail2ban-client status sshd

        Beyond that, there is not any one "guide"

        You have to create jails that understand the application you are protecting.

        1 Reply Last reply Reply Quote 0
        • W
          Woti
          last edited by

          I have now activated sshd and it works perfectly. But Nextcloud doesn't.
          What other jails do you use? What is recommended?

          sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     13
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   77.16.71.32

          Nextcloud is missing matching Journal it looks like?

          sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:
          black3dynamiteB 1 Reply Last reply Reply Quote 0
          • black3dynamiteB
            black3dynamite @Woti
            last edited by

            @Woti said in Fail2Ban not working with Fedora-Server Edition:

            I have now activated sshd and it works perfectly. But Nextcloud doesn't.
            What other jails do you use? What is recommended?

            sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     13
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   77.16.71.32

            Nextcloud is missing matching Journal it looks like?

            sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

            Here's mine
            c4651f60-1bba-4a2a-9905-e9585c6685ce-image.png

            1 Reply Last reply Reply Quote 0
            • black3dynamiteB
              black3dynamite
              last edited by

              /etc/fail2ban/filter.d/nextcloud.conf

              [Definition]
failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
          ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
          ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$

              /etc/fail2ban/jail.d/nextcloud.local

              [nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
bantime = 36000
findtime = 36000
logpath = /var/nc_data/nextcloud.log

[nginx-http-auth]
enabled = true
              1 Reply Last reply Reply Quote 1
              • W
                Woti
                last edited by

                nextcloud.conf is the same as yours. As well as the path.
                but I have no nextcloud.local. The same content as yours is in jail.local
                I'll try your solution.

                1 Reply Last reply Reply Quote 0
                • W
                  Woti
                  last edited by

                  Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
                  My nextcloud.log file is in /var/log/nextcloud/nextcloud.log

                  black3dynamiteB 1 Reply Last reply Reply Quote 0
                  • black3dynamiteB
                    black3dynamite @Woti
                    last edited by

                    @Woti said in Fail2Ban not working with Fedora-Server Edition:

                    Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
                    My nextcloud.log file is in /var/log/nextcloud/nextcloud.log

                    Temporary set SELinux to permissive and try again. You might have configure SELinux to allow access.

                    sudo setenforce permissive
                    1 Reply Last reply Reply Quote 2
                    • W
                      Woti
                      last edited by

                      I used this command to give apache og php-fpm read and write access to the logfile

                      semanage fcontext -a -t httpd_sys_rw_content_t '/var/log/nextcloud(/.*)?'
restorecon -Rv '/var/log/nextcloud/'

                      But how to give fail2ban access through SElinux?
                      Using fail2ban_log_t as descriped here https://linux.die.net/man/8/fail2ban_selinux is not working.
                      Of course I can remove the above SElinux file context and issuer:

                      semanage fcontext -a -t fail2ban_log_t '/var/log/nextcloud(/.*)?'
restorecon -Rv '/var/log/nextcloud/'

                      This way I get read write access to the nextcloud logfile for fail2ban but not til apache php-fpm anymore.
                      It is confusing.

                      1 Reply Last reply Reply Quote 0
                      • W
                        Woti
                        last edited by

                        Finally I got it to work 🙂
                        I need to use httpd_log_t to get access through SELinux to the logfile for both httpd, php-fpm and fail2ban.
                        I tried and my test-IPs was banned 🙂

                        1 Reply Last reply Reply Quote 1
                        • 1 / 1
                        • First post
                          Last post